From: Sergey Vlasov <vsu@altlinux.ru>
To: linux-hotplug@vger.kernel.org
Subject: Re: [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer
Date: Thu, 01 Feb 2007 19:09:00 +0000 [thread overview]
Message-ID: <20070201190900.GC6381@procyon.home> (raw)
In-Reply-To: <1170342384945-git-send-email-vsu@altlinux.ru>
[-- Attachment #1.1: Type: text/plain, Size: 1232 bytes --]
On Thu, Feb 01, 2007 at 06:18:16PM +0100, Kay Sievers wrote:
> On 2/1/07, Sergey Vlasov <vsu@altlinux.ru> wrote:
> >When truncating the substitution string to the length specified in the
> >format string, head[len] = '\0' could write outside the buffer if that
> >length was too large.
> >
> >Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
> >---
> > udev_rules.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> >diff --git a/udev_rules.c b/udev_rules.c
> >index 44b41e9..90a83e5 100644
> >--- a/udev_rules.c
> >+++ b/udev_rules.c
> >@@ -558,7 +558,7 @@ found:
> > break;
> > }
> > /* possibly truncate to format-char specified length */
> >- if (len != -1) {
> >+ if (len >= 0 && (size_t)len < maxsize - (head-string)) {
>
> Yeah, that should be fixed. Wouldn't:
> if (len >= 0 && len <= strlen(head))
> also catch strings which fit in the buffer, but are shorter than the
> specified limit?
Yes, this should work properly too (or even "&& len < strlen(head)" to
skip writing '\0' over itself). Working in constant time is probably
not an issue here, given the number of strlcat() calls around.
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 374 bytes --]
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
[-- Attachment #3: Type: text/plain, Size: 226 bytes --]
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
next prev parent reply other threads:[~2007-02-01 19:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-01 15:06 [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when Sergey Vlasov
2007-02-01 17:18 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Kay Sievers
2007-02-01 19:09 ` Sergey Vlasov [this message]
2007-02-01 19:26 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the Kay Sievers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070201190900.GC6381@procyon.home \
--to=vsu@altlinux.ru \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).